Bugtraq mailing list archives
Re: Mambo Open Source, Path disclosure
From: Vasiliy <security () gugol ru>
Date: Sat, 05 Nov 2005 15:52:27 +0300
alireza hassani wrote: > Demonstration URL :
-------------------- http://www.example.com/mambo/index.php?option=com_content&task=section&id=1&Itemid=PATH
I've just tried this on one of my "vulnerable" Mambo installations and got nothing, but the blank screen. I wonder why this happened?.. Could it be because of displaying php errors turned off as it should be done in any production environment?
Solution: -------------------- There is no vendor-supplied patch for this issue at this time but we are not advising you to upgrade to Joomla because Mambo, version 4.5.3, will be released soon ( by the end of November this year). 4.5.3 represents the new Team’s first consolidation of bug fixes and includes a number of securityenhancements.
Isn't this "solution" somewhat overcomplicated? If someone wants to workaround this bug, it's not necessary to upgrade. It would be enough just to follow basic security principles.
-- wbr, Vasiliy
Current thread:
- Mambo Open Source, Path disclosure alireza hassani (Nov 03)
- Re: Mambo Open Source, Path disclosure Vasiliy (Nov 05)
- <Possible follow-ups>
- Re: Re: Mambo Open Source, Path disclosure trueend5 (Nov 07)